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0^ ■ This paper clarifies the picture about Dense-choice Counter Machines, which have been less studied 

than (discrete) Counter Machines. We revisit the definition of "Dense Counter Machines" so that 
it now extends (discrete) Counter Machines, and we provide new undecidability and decidability 
results. Using the first-order additive mixed theory of reals and integers, we give a logical character- 
ization of the sets of configurations reachable by reversal-bounded Dense-choice Counter Machines. 

l>. ■ 1 Introduction 

Discrete (i.e. integer-valued) Counter Machines have been well-studied and still receive a lot of attention. 
We can mention Minsky Machines lfT3l . different kinds of counter systems (e.g., [3] OH, which are 
Minsky Machines using affine functions instead of increment/decrements and zero-tests, or (7J|6l), Petri 
5/5 | nets (or equivalently, VASS), and their many extensions. 

There are also extensions of discrete counter systems to real-valued systems, called hybrid systems, 
such as linear hybrid automata, real-counter systems @, or dense counter systems lfl6l . Another subclass 
of hybrid systems is the well-known decidable model of Timed Automata |2], which has been linked to 
ly-j ■ special classes of counter systems in Q and (§]. Recently, some connections between Timed Automata 

and timed Petri nets have been made fl4l l5l. An extension of counter systems to timed counter systems 
has been defined and studied in J4). 

Linear hybrid automata [1], as well as Timed Automata extended with only one stopwatch, are al- 
ready undecidable. Other subclasses of hybrid systems, like hybrid Petri nets (stochastic Petri nets, 
continuous Petri nets, differential Petri nets, timed Petri nets) are dense extensions of Petri nets, but they 
have not the same semantics and their comparison is not always easy or feasible (see ifTTI for a recent 
survey). 
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On the other side, from our point of view, the natural extension of (discrete) counter systems to dense 
counter systems is quite recent; to the best of our knowledge, the first paper which introduces Dense 



Counter Machines (DCM) as a natural generalization of Counter Machines (CM) is [16]. Their Dense 
Counter Machine allows incrementing/decrementing each counter by a non-deterministically-chosen real 
8 between and 1 . The motivation of this extension is to model hybrid systems where a nondeterministic 
choice can be made (see for example the argumentation about the dense producer/consumer in lfl6l . 
which neither Timed Automata nor hybrid automata can model in an easy way). However, what can we 
earn from extending CM (which have the total expression power of computability) into DCM ? Non- 
trivial problems will remain, of course, undecidable. The direction followed by |[T6l is to find subclasses 
of DCM for which the binary reachability is still computable, such as reversal-bounded DCM. 

Our contributions. We give a general definition of Counter Systems containing all the variations of 
counters (discrete, dense-choice, purely dense-choice, etc.). We then revisit the definition of "Dense 
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Counter Machines" |[T6l into Dense-choice Counter Machines (shortly, also, DCM) so that it is now 
simpler, more precise and formal, and also more clearly understandable as a natural extension of Minsky 
Machines. A DCM is a finite-state machine augmented with dense-choice counters, which can assume 
only non-negative real values. At each step, every dense-choice counter can be incremented/decremented 
by 0, 1, or by a non-deterministically-chosen 8, < 8 < 1 (which is supposed different at each step, since 
the choice is random). We assume w.l.o.g. that for a given step, the same 8 is used for all the counters. 
This 8 increment/decrement is the essential difference between dense-choice and discrete counters. A 
DCM can also test a counter x, against (either xi = or x\ > 0). 

Since dense-choice counters are (trivially) more general than discrete counters, we also study the 
model of purely-DCM, i.e. DCM in which counters lose the ability to increment/decrement by 1. We 
show that the restriction to bounded purely-DCM (i.e. there exists a constant bound b such that each 
counter is bounded by b) still produces an undecidable control-state reachability problem (even with 
four 1 -bounded purely dense-choice counters). 

We then consider an effective (i.e. whose binary reachability is computable) class of DCM: reversal- 
bounded DCM lfl6l . In order to model hybrid systems more easily, we wish to introduce the ability for 
a counter to be tested against an integer k (instead of 0): this is an easy, common extension for Minsky 
Machines and for Petri nets, but it produces new technical problems for reversal-bounded DCM. One 
of the reasons is that the usual simulation of a /c-test (i.e., several decrements and 0-tests, followed by 
increments restoring the original counter value) does not preserve reversal-boundedness. We actually 
show that reversal-bounded DCM with &-tests are equivalent to reversal-bounded DCM, using a long and 
technical proof. This allows us to obtain as a corollary that the reachability relation of a DCM with one 
free counter and a finite number of reversal-bounded ^-testable counters is still effectively definable by a 
mixed formula (this extends a previous result of [ 16]). 

Using the first-order additive mixed theory of reals and integers, FO(R,Z, +, <), we give a logical 
characterization of the sets of configurations reachable by reversal-bounded DCM. We prove that any 
mixed formula is the reachability relation of a reversal-bounded DCM. This completes the initial result 
stating that the reachability relation of a reversal-bounded DCM is definable by a mixed formula. 

2 Dense-choice Counter Machines 

Notations. We use R to denote the set of real numbers, R + the set of non-negative real numbers, Q + 
the set of non-negative rational numbers, 7L the set of integers, and N the naturals. Capital letters (eg. X) 
denote sets, and small letters (eg. x) denote elements of sets. Bold-faced symbols (eg. x) denote vectors, 
and subscripted symbols (eg. x,) denote components of vectors. Sometimes, for the sake of readability, 
we use x instead of x,- (without real ambiguity). Throughout this paper, n G N is the number of counters. 

2.1 Extending Minsky Machines 

In this section, we motivate the use of Dense-choice Counter Machines, by arguing about possible ways 
to extend Minsky Machines [ 13 ]. Minsky Machines are indeed the most elementary definition of Counter 
Systems that we will consider here, and probably the most known. A Minsky Machine has a finite set of 
control states, and operates transitions between them, by executing instructions on a finite set of integer- 
valued variables (the counters). Its possible instructions are (1) increment a counter value by 1, (2) test 
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if a counter value is 0, and (3) if a counter value is greater than then decrement it by 1 . 

Let Jzf be a given logic, such as the Presburger logic FO(N, +,=), FO(M,Z,+,<), etc. A formula 
J^~(x,x') of jSf , with 2n free variables, is interpreted as the tranformation of counter values x into x': it 
defines the counter values before and after the firing of a transition labelled by J£~(x,x'). Throughout 
this paper, we will use several different classes of counter machines, each one based on the generic 
Definition 12.11 They all use a finite labelling alphabet £ C Jzf, defining instructions on a vector x = 
(xi,Jt2> • • • ,x n ). The way the alphabet £ is defined is what makes the difference between various Counter 
System classes. 

Definition 2.1. A Counter System ( CSfor short) is a tuple ^ = (S,T) such that S is a finite set of control 
states, and TCSxLxSis a finite set of transitions. 

Remark that a Minsky Machine is a CS in which formulas of £ are of the form (xf = x + 1), 
(xf = x = 0), (x > A xf = x — 1), or true (x being a component of x, i.e., a counter xi). Although 
the reachability problem is undecidable for Minsky Machines (with at least two counters), we would like 
to extend them for two reasons. First, if a Minsky Machine is reversal-bounded, then its reachability 
relation is computable; thus, we would like to use a more powerful model than reversal-bounded Minsky 
Machines, which remains decidable. This first point will be detailed in sections 12.21 and 12.31 Second, 
Minsky Machines are very basic and not practical to use for modelling or expressing high-level prop- 
erties. For that matter, we add the possibility to use real-valued counters, and to non-deterministically 
choose the value of an increment/decrement for each transition. In the remainder of this section, we 
discuss these two extensions. 

In order to get real-valued counters, we define Dense Minsky Machines, which are CS whose £ is 
composed of formulas of the form (x' =x + r), (x' = x = 0), ((x — r > Vx — r = 0) Ax' = x — r), or true, 
with a given finite set of valued r G Q+. Like in Minsky Machines, the initial counter values are always 
0. This first extension is not really more powerful, since it can be simulated by a Minsky Machine: 

Proposition 2.2. Minsky Machines and Dense Minsky Machines are bisimilar. 

Proof. One way is obvious, by taking r = 1. The other way is a little more elaborate, but remains 
easy. We just have to simulate every Dense Minsky Machine instruction with a Minsky machine. There 
are four instructions, and two of them are obviously the same: true and xf = x = 0. For the two other 
instructions, xf =x+r and (x— r > OVx — r = 0) Ax' = x — r, we just have to encode r by an integer. Each 
increment/decrement r G Q+ can be written as |, with p, q G N. Then, since we know all the possible r in 

advance, we can compute for each r a q' G N such that r = where qi cm is the least common multiple 
of all q. Thus, each r can be represented by a non-negative integer r' = pq 1 , and the new counter values 
will all be multiplied by the same factor qi cm . Using this simple encoding, we can simulate an instruction 
xf = x + r by a sequence of r' instructions x' = x + 1. Likewise, (x — r > 0\/ x — r > 0) Ax' = x — r can be 
simulated by a sequence of r' instructions x > Ax' = x — 1. □ 

Another way to extend Minsky Machines is to allow, on each transition, a non-deterministic choice 
of the increment/decrement. We call this extension a Dense-choice Minsky Machine, which is a CS 
whose £ contains formulas of the form (x' = x + 1), {x' = x = 0), (x > Ax' = x — 1), (xf =x + A), 

'Note that here, we take these values in Q + because the important properties are (1) density and (2) an effective represen- 
tation of any rational number (this is not the case for reals, in general). 
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((x — A > Vx — A = 0) Ax' = x — A), or true, where A symbolizes a non-deterministically-chosen value 
8 E M + . The choice is made each time a transition is fired, so that two consecutive transitions labelled by 
x' = x + A should generally have different values for A: the choice is random, and we have no knowledge 
of the chosen value (although we could check it afterwards, using an additional counter and transition). 

Here, we consider runs of finite length only: we show that the 8 value can be chosen in ]0, 1 [ instead 

of R+: 

Proposition 2.3. For finite-length runs, every Dense-choice Minsky Machine M with 8 E M+ can be 
simulated by a Dense-choice Minsky Machine M with 8 E ]0, 1 [. 

Sketch of the proof. Every run r of such a machine M can be simulated by a possibly longer run r of 
M whose 8 increments are in the open interval ]0, 1[. Without a formal proof and formal definitions of 
control state and configuration, we show how, for instance, a transition from control states s to s' , labelled 
by (jc'j =xi+ A), (x , 2 = X2 + A), and ((x 3 - A > V13 — A = 0) Ax 3 = x 3 — A), can be simulated in M 
(each A being replaced at each firing of a transition by a 8 E 

First, M has a transition from s to a new control state s" , labelled by the same formulas, but with 
< 8 < 1. Second, in M there is also a transition from s" to s" itself, again labelled by the same formu- 
las, with < 8 < 1. Third, in M there is a transition from s" leading to s' labelled by x\ = x\,x' 2 =x%, 
x' 3 = X3. Hence, a configuration c' with control state s' and counter values (x'^x^Xj) E M? + is reachable 
in M from a configuration c in control state s and counter values (xi,X2>*3) £ ^+ iff c' is reachable in M 
from c. □ 

Therefore, there is no loss in generality in assuming that each increment is in the interval ]0, 1 [, at 
least as long as finite runs are considered. Instead, a bounded increment can give a finer degree of control 
on counters. In fact, in many physical systems, physical variables are actually bounded (e.g., a water level 
in a reservoir, which is a non-negative real value that cannot exceed the height of the reservoir). It seems 
difficult to model or check this kind of behaviour with a CS where increments are unbounded reals. 

Finally, we notice that allowing increments in the interval ]0,q[, with a fixed q E N, does not give 
any gain in expressivity with respect to the case of q = 1 . For instance, to increment a counter x by any 
value 8 with < 8 < q, it is enough to apply, in a Dense-choice Minsky Machine with non-determistic 
increments in ]0, 1[, a sequence of exactly q transitions (this is possible, since q is fixed), each of the 
form x 1 = x + 8, for < 8 < 1 . 

In the next section, we generalize and formalize the definition of Dense-choice Minsky Machine that 
we just motivated. 



Example: producer-consumer system. As a simple example of application of a machine with real- 
valued counters, consider the following version of a traditional producer-consumer system, described 
in |[T6l . A system may be in one of three states: produce, consume or idle. When in state produce, a 
resource is created, which may be stored and later used while in state consume. The resource is a real 
number, representing an available amount of a physical quantity, such as fuel or water. Production may 
be stored, and used up much later (or not used at all). This system may be easily modeled by a finite 
state machine with one dense-choice counter, which is shown below, where the resource is added when 
produced or substracted when consumed. 
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Using a real- valued counter, there is an underlying assumption that a continuous variable, such as this 
resource, changes in discrete steps only; however, this is acceptable in many cases where a variable actu- 
ally changes continuously, since the increments/decrements may be arbitrarily small. Since the counter 
may never decrease below zero, the specified system implements the physical constraint that consump- 
tion must never exceed production. More complex constraints are decidable, for instance if expressed by 
linear constraints on counter values. An example of a decidable query is whether total production never 
exceeds twice the consumption. 



2.2 Definitions and properties of Dense-choice Counter Machines 

Let x be a vector of n variables, called dense-choice counters (or simply counters if not specified other- 
wise). Dense-choice counters were called "dense counters" in lfl6l . A counter valuation is a function giv- 
ing, for any Xi 6 x, a value in M + . In this paper, we write xt (or x) to denote both variable(s) and the image 
of valuation(s), since there is no ambiguity and the meaning is obvious. Let G = {(x = 0), (x > 0),true} 
be the set of guards. We say that a counter valuation x satisfies a guard g G G n with the usual meaning, 
denoted by x |= g; for example, if n = 3 and g = (true,X2 > 0,X3 = 0), then (6,2,0) |= g but (6,2, 1) ^ g. 
Let A = {1, A} be the set of actions; intuitively, 1 stands for an integer increment/decrement, and A stands 
for a non-deterministically-chosen real increment/decrement. 

Definition 2.4. A Dense-choice Counter Machine f shortly, a DCM) with n>0 counters is a tuple ^ = 
(S, T) where: 

• S is a finite set of control states, with a state Sfi„ G S called the final state o/^#; 

• TCSxHxSis a finite set of transitions, with £ = (G x Z x A) n 

Intuitively, the integer component X G Z" of £ is a factor determining whether the transition is in- 
crementing or decrementing a counter, and of which value. Meanwhile, the action a G A" determines 
whether the increment or decrement is a real or integral value. For the sake of clarity, we sometimes 
write transitions as x > 0/\x := x + 38, meaning that the guard on counter xt is gi = (x > 0), its factor is 
Xi = 3, and its action is a,- = A. 

Notice that our transitions are equivalent to those of |[T6l 0, in which the authors used the no- 
tion of modes. The modes stay, unit increment, unit decrement, fractional increment, 
and fractional decrement are here respectively represented by the cases (Xj = 0), (A,- > Ac?,- = 
1), (Xi < A at = 1), (Xi > OAa,- = A), and (Xi < A a, = A). Also notice that transitions where 
X G {+1,-1}" are just a special case, and that they can simulate a linear combination of the form 
x'j = xt + ET=i hjfy* f° r a given m and a vector of different 8j values in ]0, 1 [ . 

As usually done in verification, to interpret a DCM, we specify an initial valuation to each counter 
and an initial control state, and then we let the machine behave non-deterministically. The behaviour of 
a DCM mainly consists in choosing a transition whose guard g G G" is satisfied by the current counter 
valuations, and to update these valuations (and, of course, to go to the new control state). 
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Definition 2.5. The semantics of a DCM jtft = (5, T) is given by a transition system TS{^K) 
where: 

• C = S x WL is the set of configurations 



(C, 



C is the set of transitions, defined by: 

(s,x) — ° (s',x ! ) if and only if (s, (g,A,a),s') € T and 38 G R swc/i f/ia?. - 
< <5 < 1 A x ^ g A x' = x + Au, with u = a [A <— 8} 



For a DCM ^ = (S, T) and its transition system TS(^) = (C, — >), the reachability relation is 
the reflexive and transitive closure —>*; when the context is clear, we drop the subscript ^g. A run of ^ is 
a sequence (s°,x°) — > (s^x 1 ) — > . . . — > (tf',x'), of length Z > 0. Because of the inherent non-determinism 
of a DCM, we are interested only in runs ending in final state Sfj n € S. Formally, a run of ^# is accepting 
if it is of the form (s,x) — >* (jy/ n ,x'), for some s£S and x,x' € R" ; ^# is also said to accept. A DCM 

is said to reject (or crash) during a run (s,x) — >* (s',x'), if s' G 5 is a non-final sink state (hence, the 
run cannot be extended to be an accepting run). 

The set of all pairs f (tf,x), (j',x')J G C x C such that (s,x) ~> (s'jX 7 ) is called the binary reachability 
relation of we sometimes call it binary reachability or reachability relation. The binary reachability 
problem consists in computing^] the binary reachability relation of a given DCM. An easier version is 
the control-state reachability problem (shortly, state reachability problem), which consists in deciding 
whether a given control state is reachable in some accepting run of a given DCM. 

The example at the end of section 12.11 is a DCM, if we remove the guard x — 8 > (the machine 
crashes if the guard is not satisfied). 



Although a DCM has only a restricted set of possible operations on counters, it can perform various 
higher-level macros, such as reset, copy, addition, substraction, comparison, etc. Here, we give the 
encodings of some of these macros, in order to be able to use them as shorthands in this paper. 

„. , , „reset(x)„ copy(x,y) _add(*,y)„ , minus(x,y) , ^ w 

We denote by — -0, — - — *0, — — ^0, and — 0) the DCM on Figures 

[Tal [Tbl [Tel and [id] (respectively). 




s ^® 
(a) Reset of a counter 



X— 8 

y + 8 x:=x+8 
■ z + 8 z:=z — 8 



© 



reset (y 







z = 



reset(z) 

(b) Copy of a counter into other ones 



x := x+ 8 
y:=y-8 

y = 




— <D 

(c) Addition of a counter into another one (d) Substraction of a counter from another one 

Figure 1: Encodings of reset, copy, add, and minus operations 



2 By "computation", we mean the existence of an algorithm which computes a formula (e.g. as a binary automaton). In 
general, such computation does not exist. 
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Let G' k = {(x = i), (x < i), (x > i)>* rMe }i'e[0,fc] , for a given k 6 N. A DCM whose set of guards is 
included in G' k is called a k-DCM. The counters of a k-DCM are said k-testable. Notice that a DCM is a 
0-DCM, and note that dense-choice counters are O-testable if not specified otherwise. 

Proposition 2.6. DCM can simulate k-DCM, for any given k £ N. 

Proof. There are three different kinds of additional tests: x < k, x > k, and x = k, for any given k € N. 
We show how to encode each of them with only x = and x > tests. 

A test x < k, represented by a transition (T) X — ^ >(7), can be simulated by the following encoding: 



k — 1 unit decrements 




Note that to avoid modifying the value of x, we copy it into another counter y by using the encoding 
of FigfTb] In an easier way, a test x > k (resp. x = k) can be simulated by a sequence of k unit decrements 
followed by a test x > (resp. x = 0). Finally, remark that the test x < can never be verified, since a 
counter cannot take negative values: instead, the machine would crash. □ 

Definition 2.7. Let ^# be a DCM. A counter x,- of ^ is purely dense-choice if and only if "a, = A in every 
transition (i.e., it is never incremented/decremented by I). Conversely, a counter %\ is (purely) discrete if 
and only if 'aj = 1 in every transition (i.e., it is a classical discrete counter). If \M contains only purely 
dense-choice counters, it is called a purely-DCM. If „S( contains only discrete counters, it is called a 
(discrete) Counter Machine (CM), as defined in UTTS . 



2.3 Reversal-Bounded DCM 

To extend the definition of reversal-boundedness from lfl2l to DCM, let ^ = (S, T) be a DCM, s,s' G S, 
and r £ N. On a run from s to s' , a counter x, is r-reversal-bounded if, along the transitions of the run, the 
factors A, switch between positive and negative values at most r times, for any i. Counter x, is reversal- 
bounded (shortly, r.b) if there is an r such that, on every accepting run of jft, Xi is r-reversal-bounded. 
^# is a reversal-bounded Dense-choice Counter Machine, denoted by r.b. DCM, if every counter in ^# 
is reversal-bounded. 

A counter which is not necessarily reversal-bounded is called a. free counter. 

In this model, one can effectively check at runtime whether a counter is r-reversal-bounded, by 
making the control state check when transitions are incrementing (A, > 0) or decrementing (A, < 0) the 
counter x\. Thus, one can use additional control states in order to remember each reversal and crash if 
the number of reversals exceeds r. 

Like in the case of discrete counters, one can always assume that r = 1 ; indeed, each sequence of 
"increments, then decrements" can be simulated by a 1-r.b. counter, and thus a counter doing r reversals 
can be simulated by r 1-r.b. counters. 
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From [16], we know that the binary reachability of a reversal-bounded DCM with one free counter 
can be defined in a decidable logic: the logic of mixed formulae, which is equivalent to the well-known 
FO(R,Z,+, <). Since the syntactical details of this logic are not relevant for now, their presentation is 
postponed to section |4~T1 The above decidability result is stated in |[T6l as follows: 

Proposition 2.8. The binary reachability of a DCM with one free O-testable counter and a finite number 
of reversal-bounded k-testable counters is definable by a mixed formula, for any k>0. 

However, we have extended the guards of DCM to be able to test a counter against any given integer 
constant: we proved in Proposition 12.61 that this is not more powerful in the general case, but this is far 
from obvious when we consider r.b. DCM. Indeed, the proof of Proposition 12. 61 uses an encoding which 
does not preserve reversal-boundedness. 

We now prove, as Theorem 12.1 II that this extension is actually not more powerful either in the case 
of r.b. DCM, provided we can use many more counters. Before that, a few more technical definitions are 
needed. 

Define, for any real number x, fr(x) =0 if [x\ =x (i.e., x is an integer), else fr(x) = 1/2. Given a 
finite set S (the control states of JC) and an integer k > 0, let S' = S x ({0, . . . ,k} X {0, 1 /2}) B . A DCM 
= (S' , T') with n O-testable counters is called & finite-test DCM. 

A configuration (<C s, {d\ ,f\), . . . , (d n ,f„) ^>,x) of ^t' is consistent if, for every 1 < i < n, either 
(xi <kAdi= [xj\ A /, = fr{x{)) or (pa > k Ad, = k A /; = 1/2) holds. Hence, in a consistent con- 
figuration, a test of a counter against a constant j < k gives the same result as a test against the d and / 
components of the state. 

In general, may also reach non-consistent configurations. A run of is consistent if it goes 
through consistent configurations only. 

Now, we need a technical lemma showing that, for any &-DCM, we can build an equivalent finite-test 
DCM (the notion of equivalence used here is detailed in three requirements). This result will be used as 
a basis for constructions in the proofs of Lemma l2.10l and Proposition 13.21 

Lemma 2.9. Let = (S, T) be a DCM, with n k-testable counters x, with k > 0. Then there exists a 
finite-test-DCM = (S' , T'), with n 0-testable counters such that: 

1. if counter Xi of \M is reversal-bounded then counter Xj of \M' is also reversal-bounded 

2. every run of ^ is also a run of \M' , i.e. for every run of \M of length I > 0: 



3. a consistent run of .M' is also a run of \M, i.e. for every consistent run of \M' of length I > 0: 




there exists a run of length I for <J£' : 



(<& S \(dlfl),...,(dlfi)^,x 



<<<^U),...,KU)>>,x' 



(« J 1 ,(J 1 1 ,/ 1 1 ),...,(4,/„ 1 )»,x 



) ^!<r< (« /{),..., «,/i)»,x' 



there exists a run of length I for ^ of the form: 
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Proof. The idea of this proof is to build ^' to mimic the behaviour of ^ , by reflecting the possible 
variations of a counter value into its finite state control. For simplicity, we consider only the case n = 1 , 
but the proof can easily be generalized to any number of counters. Therefore, a state of 5' is a triple 
<^s,d,f where s G S, d is an integer in 0, ... ,k and / is either or 1/2. Component d is used as a 
discrete counter from up to k, intended to represent [xij- Component / is intended to represent the 
fractional part of x\ : / = is for the case [jciJ =x\, f = 1/2 otherwise. The definition of T is such that 
all tests of counter x against a constant < j < k are eliminated and replaced by finite-state tests on d 
and /. For instance, a test x > j is replaced by a test d > j V (d = j A f = 1/2). Only tests against are 
replicated in T'. 

Formally, T 1 is defined as follows. 

Let (s, (g, A,a),s') G T. Define g[ to be true if g\ is either true, x\ < j, x\ = j, or x\ > j, for every 
j > 0; otherwise, define g\ to be x\ = or x\ > if g\ is, respectively, x\ = or x\ > 0. Hence, g[ is 
obtained fromgi by eliminating all tests against a constant j > 0. For every d G {0, ...,k},f G {0, 1/2}, 
if one of the following conditions holds: 

• gi = true, or 

• gi = (*i < j) and d < j, or 

• gi = (xi = j) and d = j Af = 0, or 

• gi = (*i > i) and d > j\/ (d = j Af = 1/2), 

then (< >,(g,A,a),< s',d',f' >) G r' for every d! G 0, . . . ,k, f G {0,1/2} such that A( = 

X\ A a[ =a\ and one of the following five conditions holds: 

1. X 1 =0Ad' = dAf = f(8bay) 

2. Xi = \ Aa\ = \A{{d<k Ad' = d+\ A f =f)\/{d = k Ad' = d A f = 1/2)^ (integer increment) 

3. Xi = -\Aa x = 1 A ^(0< d<kAd' = d-l Af' = f)\j{d = kAd' = dA{f = l/2v/ = 0))^ 
(integer decrement) 

4. Ai = lAfli =AA ((f = 0Ad' = dAf' = \/2)\j{f=\/2Ad'=d+\Af' = 0)\J{f=\/2Ad' = 
d + 1 A /' = 1/2) V (/ = 1/2 A d! = d A f = 1/2)) (fractional increment) 

5. Ai = -lAai =AA^{f = 0Ad>0Ad' = d-lAf' = l/2)\/(f=l/2Ad>0Ad' = d-lAf' = 
1/2) V (/ = 1/2 A d! = d A f = 0) V (/ = 1/2 A d' = d A f = 1/2)) (fractional decrement) 

Notice that when in cases (4) and (5) more than one alternative may hold (i.e., the disjunctions be- 
tween parentheses), which correspond to nondeterministic choices of . Also, in case (5) (fractional 
decrement), it is implicit that if/ = 0A<i = then crashes, since there is no available alternative. 

The above definition implements the elimination of tests. 

Let (<C s,d,f^>, (g',X,a),<^s',d',f' 3>) G T'. If the original test gi is against a constant j > 0, then 
gj only requires a test of state components d and /, but no test of x\. If, instead, gi is a test against 0, 
then g\ is a test whether x\ = 0, but the finite-state control also "tests" that both d and / are 0. Similarly, 
if gi is x\ > 0, then g[ is also x\ > and <i>0V(<i = 0A/=l /2) must hold. This entails that if at 
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runtime there is a test x\ = while x\ = OA(J>OV/ = 1/2), then crashes. 

Now, we show that the machine we defined meets the 3 conditions stated by this lemma. 

Condition (1) is immediate, since one can effectively check if a dense-choice counter is r-reversal- 
bounded, for a given r > 0, by checking when transitions are incrementing (A,- > 0) or decrementing 
(A,- < 0) the counter x\. Thus, one can use additional control states in order to remember each reversal 
and crash if the number of reversals exceeds r. 

Condition (2) of the lemma is also obvious, since by construction, every transition in a run of »M 
may be replicated in a run of Hence, a run of ^ is also a run of , by adding suitable additional 
components to the state. 

Condition (3) also follows, since in a consistent configuration every test of a counter against j > 
(with j < k) is equivalent to a finite-state test. Hence, a consistent run in jM' may be replicated also in 
Jt. □ 



Notice that, in general, a run of a finite-state DCM «dt' (as above) is not also a run of since in 
jft' there is no test against constants, which are replaced by tests on state components d and /. Indeed, 
the fractional increments/decrements of the counter may lead to a non-consistent configuration where a 
counter value xt is not compatible with the value of the i-th state component d and /, e.g., x < j, for some 
j > 0, and on the other hand d > j. Therefore, the tests on d and / may not give the same results as a 
test on the actual value of x, and hence the run may be possible in but not in j% . 

We now extend the result of Lemma 12.91 to a full equivalence relationship, this time between r.b. 
k-DCM and r.b. DCM (not finite-state, but with about 2{k+ 1) times as much counters). 

Lemma 2.10. A DCM j$ = (S,T) with one free 0-testable counter and n k-testable 1-r.b. counters is 
equivalent to a DCM = (S , T ) with one free 0-testable counter and up to In + 2k(n +1) 0-testable 
r.b. counters. 

The idea of this proof (detailed on page \\9\ in the appendix) is the following. We first build an 
intermediate finite-state DCM like in Lemma 12.91 Then, we define to have its runs split in 
two phases. The first phase simulates a run of on the first n counters, hence using finite-state tests 
rather than actual tests on the counters in position 1 to n. However, during this simulation phase, 
replicates the values stored in Xj into the first n{k + \) additional counters. The second phase verifies 
that the simulated run of is actually consistent, by checking the actual counter values stored in the 
additional counters, and crashing if, and only if, the simulated run was not consistent (e.g., verifying that 
if entered a configuration with di = j A fi = 1/2, then j < Xi < j + 1). Notice that the additional 
counters are still reversal-bounded. Hence, can faithfully simulate <Jt . 

The proof assumes at the beginning a few restrictions on counter behaviors and tests, which are then 
lifted at the end. 

Since reversal-bounded counters can always be transformed into (a larger number of) 1-r.b. counters, 
we can then generalize Proposition 12.61 to the case of r.b. counters, by directly extending Lemma |2.10[ 

Theorem 2.11. Reversal-bounded k-DCM can be encoded into reversal-bounded DCM, for any k>0. 

This theorem immediately generalizes the main result of lfl6ll . recalled here as Proposition 12. 81 
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3 Decidability and Undecidability results 

The following table summarizes the results about DCM and their variations. The results in bold slanted 
characters are proved in this paper, and the others were proved (or inferable) from previous papers, 
namely |[T6l and |[T3l . There are four possible entries in this chart: "?" if we do not know whether the 
state reachability problem is decidable, "U" if it is undecidable, "D" if it is decidable, and "C" if the 
binary reachability relation is computable and definable in a decidable logic. The "+ r.b." (resp. "+ 
&-test. r.b.") means that the machine is extended with a finite number of reversal-bounded dense-choice 
counters (resp. reversal-bounded ^-testable dense-choice counters). 
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bounded 


DCM 


DCM + 


counters 




k-DCM 


+ r.b. 
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In the remainder of this section, we prove two of these new results; the other new results are proved 
in the previous section or directly inferable. Notice that the seven open problems could be solved by 
only two or three proofs that subsume other results. However, the intuitions about 1 or 4 counters do not 
fit the case of 2 or 3 counters, and the proof techniques get even more complex when we use ^-testable 
counters. 

3.1 Undecidability for bounded purely dense-choice counters 

Given a DCM a counter x of ^ is b-bounded, b >0, if x < b along every run of For instance, a 
1 -bounded counter can assume any non-negative value up to 1. A counter is bounded if it is ^-bounded 
for some b > 0. 

Given b > 0, if a machine ^ has a ^-bounded ^-testable dense-choice counter x, then one can as- 
sume that ^ must crash not only when trying to decrement x below 0, but also when trying to set x > b. 
Indeed, if x was not bounded, j% could be modified to test at each step whether x < b, crashing if this is 
not the case (which would force x to be bounded). 

Bounded integer counters have a finite set of possible values, which can be encoded into the control 
states. However, bounded dense-choice counters have an infinite set of possible values: a DCM with 
several bounded counters is a powerful model, as shown next. In general, the state reachability problem 
is a simpler problem than computing the binary reachability. However, the following proposition shows 
that even for state reachability, having only four 1 -bounded counters implies undecidability. 

Proposition 3.1. The state reachability problem is undecidable for bounded purely -DCM. 

Proof. We show that the state reachability problem for a DCM with four purely dense-choice 1 -bounded 
1 -testable counters is undecidable, which entails this proposition. The result follows the lines of the proof 
in (16]] that 4 purely dense-choice counters are enough to simulate a Minsky machine. The original proof 
was based on using two counters to store a fixed value 8, chosen at the beginning of the computation. The 
two remaining counters are then incremented or decremented only of this fixed value 8 : any integer value 
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k is encoded as k8. Hence, the two counters behave like two discrete counters without any restriction. 
If the 4 counters are Abounded, then they can encode only up to an integer m = [l/8\. However, m is 
unbounded, since 8, selected non-determistically once at the beginning of a computation, can be chosen 
to be arbitrarily small: if 8 is not small enough then the DCM will crash trying to increase one of its 
counters beyond 1 (for example, by resetting to the initial configuration so that 8 can be chosen again 
until it is small enough). But in every halting computation of a Minsky machine, the values encoded in 
its two counters are bounded (with a bound depending on the computation). Therefore, the final state 
of the DCM is reachable if, and only if, the simulated Minsky machine has one halting computation. 
Hence, the state reachability problem is undecidable. □ 

3.2 Decidability with one ^-testable counter 

Proposition 13 . 1 I does not rule out decidability if using less than four counters, since its proof is based on a 
four-counter purely-DCM. In particular, here we show that, for a DCM with only one counter, the binary 
reachability can effectively be computed even if the counter is ^-testable. This extension to ^-testability 
is indeed far from obvious. 

In fact, the construction of the proof of Proposition I2.6l can be applied for tests of the form x > j or 
x = j, for any j < k; this construction can be simulated by a sequence of j unit decrements followed by 
a test x > or x = 0, and then followed by j unit increments to restore the original value. However, it 
cannot be applied for tests of the form x < j, since this would require a (non-existent) additional counter 
to be able to restore the original counter value. The proof also requires the counter to be bounded, in 
order to avoid an unbounded number of crossings of threshold k. 

Again, we use the notion of mixed formula, which we develop in Section |4~T1 Remember that it is a 
decidable logic, equivalent to FO(R, Z, +, <). Moreover, we know from Proposition 12. 81 that the binary 
reachability of a DCM is definable by a mixed formula. 

Proposition 3.2. The binary reachability of a DCM with a single bounded k-testable counter is definable 
by a mixed formula, for every k>0. 

Proof. Let ^# = (S, T) be a one-counter DCM, such that its only counter is ^-bounded. Since there is 
only one counter, a real value x is used instead of a vector x of counter values. We prove the case b = k, 
since if b < k then all tests against j > b are just false, while if b > k then simply ^ will not use the 
tests against k + 1 , k + 2, etc. 

Let = (S',T') be the finite-test DCM with one free 1 -testable counter, as defined by Lemma I2T91 
with < s,dj »G S' for every s G S, d G {O...Jk}, / G {0, 1/2}. 

We claim that for every x°,x l G M + and s°,s l G S, with Si n it,Sfinai G S', 

(s°,x°) (s\x l ) if, and only if, («s init , [x°\ ,fr(x°) ^jg, (< jm, [x l \,fr(x l ) »,^} (1) 

The main proposition follows then immediately, since relation £T|) is decidable and can be described 
by a mixed formula. 

"Only If": This part is guaranteed by Condition (2) of Lemma |2.9l 

"If" part: Suppose that Formula © holds. We need to show that (s°,x°) ^ j/ (s l ,x l ). Condition (3) 
of Lemma l2T9l only applies to consistent runs, and in general runs of may not be consistent. However, 
each fractional increment/decrement in a run of is chosen non-deterministically. Hence the value of 
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x can be adjusted for consistency with d and /. The proof of this claim requires some preliminary defi- 
nitions and propositions. 

A consistent version of a configuration c = (<C s,d,f^>,x) is any configuration d = (<C s,d,f ^>,xf), 
for some x' £ R + , which is consistent. 

We claim that for every consistent configuration co = (<C ^,<^,/ ^,*°) and for every configuration 

ci = (<C^i,Ji,/i >,x ! ), 

if Co — ci,then there exists a consistent version c ; of c\ such that co — >^> c 1 , 
defined by c\ = (^C si,d\,f\ ^>,x ), for some x' € M+. 

If a = 1, then ci is already consistent by definition of Hence, only a fractional increment/decrement 
(i.e. if a = A and A / 0) may lead to an inconsistent configuration. 

A special case of configuration is a zero-conf, i.e. any configuration of of the form (<C s, (0, 0)" S> 
,0). We can further assume that, in a finite-test DCM jM' , every zero-conf is always consistent, since 
^M' can test that every component of x is actually (and crashes otherwise). 

Assume first x° = (i.e., co is a zero-conf). Hence, d\ = d, f\ = 1/2 andx = 8 for some 8, < 8 < 1. 
Hence, ci is already consistent. 

Assume now x° > 0. Hence, d\ can differ from <i at most by one. 

To proceed, we need an additional observation. For all states <C s,d,f ^> and <C s',d',f S> of 
for all (g,X,a) € I, for all x £ R+, Ve € [-1,1] , with < x + e < k+ 1, if 

(<^s,d,f^>,x) S - LJ ±jz' (<^s',d',f >,x + e) 
then for every x 1 G R + , such that 0<x' + £<&+1 the same move can be repeated from x': 

(«^J,/»,x') g -^V («*',</',/' >,x' + £ > (3) 

Property Q is obvious since can only test x for zero, hence it cannot differentiate x from x' 
before the move and it may apply the same increment. 

By property ©, it is possible to make the same move from co using a different increment (or decre- 
ment): x can be increased (or decreased) by a value (larger or smaller than 8, but always in the interval 
]0, 1[) which is enough to make up the difference for making the configuration consistent. 

Let co — > j(< c\ — • • ■ — ci be a run of , with / > 0. We now prove by induction on I that if 
co is consistent, then there is another run of denoted by co — > j(< d\ • ■ • c\ where each c\ is 
a consistent version of c\, 1 < i < I. 

The case I = is trivial (with co = c ). Suppose / > 0. By induction hypothesis, co — c\ -^>jc 
■ ■ ■ — c\_ v each c- being a consistent version of c,-, 1 < i < I — 1. By Property (O, we can find a 
consistent version c\ of c\ such that c\_ x -^jp c\. 



By Condition (3) of Lemma 12791 every consistent run of jtf' is also a run of hence the proof is 
completed. □ 
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The proof is immediately extendable to the case where M has also discrete reversal-bounded coun- 
ters, which are in no way influenced by the above construction. If the reversal-bounded counters are 
dense-choice, though, decidability is still open. This result would need a new proof, because the tech- 
niques used for Proposition I3.2l and Lemma l2~T0l apparently cannot be combined. 

4 Logical characterization of DCM 

4.1 Preliminary results about Mixed Formulae 

We consider here the language of mixed formulae, defined in lfl5l . and adapted from Presburger arith- 
metic. The language has two sorts of variables: real variables, denoted by x,xf,Xi, . . . and integer vari- 
ables, denoted by y,y' ,y\, . . .; the latter are a subsort of the former. The constants are and 1, the 
operations are + (binary), — (unary), [ J , and the relations are equality =, ordering < and congruences 
=d for every constant d € N. Definition 14. 1 1 formalizes this idea: 

Definition 4.1. A mixed fomula is inductively defined as follows. A mixed linear expression E is defined 
by the following grammar, where x is a real variable and y is an integer variable: 

£::=0| 1 \x\y\E + E\E-E \ [E\ 

A mixed linear constraint C is defined by the following grammar, where d is a positive integer: 

C ::= E = E\E < E\E = d E 

A mixed formula F is defined by the following grammar, where x E R and y € Z: 

F ::=C \->F \F AF \3x.F \3y.F 

The semantics of a mixed formula is like in the reals, [rj being the integer part of its real argument 
r, and r\ =4 r2 holding if r\ — r2 = vd for some integer v. 

Typically, one can use shorthands, such as using e.g. 3x for x + x + x, or introducing other common 
operators (like >), etc. 

Mixed formulae are equivalent to the well-known first-order additive theory of integers and reals 
FO(R,Z, +,<), since the floor operator [x\ = y can be rewritten as 3x\(0 < x\ Ax\ < lAx — x\ =y), 
and x\ = c j X2 can be rewritten for a fixed d > as 3y(x\ —X2=y-\ \-y). However, the main advantage 

d 

of the richer syntax of mixed formulae is that it allows for quantifier elimination, which is not possible 
in FO(R,Z, +, <), as shown in Theorem 3.1 and Corollary 5.2 of ifTSl . 

4.2 Mixed formulae are definable by reversal-bounded DCM 

It is well known that reversal-bounded discrete CM can define all Presburger formulae. Since Presburger 
logic admits effective quantifier elimination, the binary reachability of r.b. discrete CM can effectively 
define all Presburger relations. A similar result holds for r.b. DCM, using mixed formulae (and the ef- 
fectiveness of quantifier elimination) instead of Presburger formulae. 

Let be a vector (0, ... ,0) of size n. A quantifier-free mixed formula F(zi, . . . ,z n ) of J^f in the free 
variables Zi > 0, . . . ,z„ > is definable by a DCM ^# with at least n counters x\,...,x n (and possibly 
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more) if starting in a given initial configuration (s,0), may reach all, and only, final configurations 
{sfi n ,x) such that F(x\/z\, ■ ■ ■ ,x n /z n ) holds (where x,/z, denotes a substitution of variable Zi with value 

Xi). 

Proposition 4.2. Let F(xi, . . . ,x n ,yi, .. . ,y p ) be a quantifier-free mixed formula, with x\ > 0, . . . ,x n > 
0,yi > 0, . . . ,y p > 0. Then F is definable with a r.b. DCM. 

The idea of this proof (detailed page |2T] in the appendix) involves several steps which can easily be 
understood. First, we assume (w.l.o.g.) that F is in disjunctive normal form; then, we transform it into a 
union of intersections of smaller formulae of the form E ~ 0, with ~e{>,=,<,=^,^}. The main idea 
is to encode each of these formulas E ~ by a r.b. DCM, in which there are n r.b. dense-choice counters 
x, p r.b. discrete counters y, and possibly more r.b. counters. We provide a simple r.b. DCM encoding for 
each of these formulae E ~ 0, in which the machine accepts a run, with initial counter valuations equal 
to the assignment of the free variables of F, if and only if this assignment of variables makes the formula 
true. 

Then, we just have to connect each r.b. DCM as follows. Each machine has a final control state, 
which we connect with a transition to the initial control state of another machine; both of them are in fact 
a (bigger) machine. For the union, we add one transition going from the final state of the first machine 
to the initial state of each machine encoding a component of the union. Then, each of these components 
is a series of machines, encoding intersections. The last component of each intersection is encoded by a 
machine whose final state leads to an accepting sink state (which is the final state of the overall r.b. DCM 
encoding F). Finally, this sink state is reached if and only if the formula F is satisfied. 

Since the quantifier elimination of mixed formulae is effective, and since we can encode negative 
variables with a sign bit in the control states, then we can directly deduce the following theorem: 

Theorem 4.3. Any mixed formula can be defined by a r.b. DCM. 

This theorem is actually dual to the one in |[T6l (cited here as Proposition 12- 8b . which states that the 
binary reachability of a r.b. DCM (with an additional free counter) is a mixed formula. Hence, we get an 
exact characterization of r.b. DCM. 

As a matter of fact, Theorem 14.31 can be combined with other results about mixed formulae. For 
example, we know that the binary reachability of a flat counter automaton or of a timed automaton 
llH is definable by a mixed formula. Hence, we can construct a r.b. DCM which is accepting exactly the 
binary reachability of a given flat counter automaton or timed automaton. 

5 Conclusions and future work 

The goal of this paper is to shed a more formal light on DCM, hence clarifying their relation with 
(discrete) CM. This makes us notice that there are very simple results for CM that still hold for DCM, but 
require a much more difficult proof. A first extension is to allow dense-choice counters to be compared 
to an integer constant k, and not only to 0. We showed that dense-choice counters are not more powerful 
when they are ^-testable, even in the case of r.b. DCM, or of DCM with a single bounded counter. 

A second extension is the exact characterization of r.b. DCM with the well-known first-order additive 
logic of integers and reals, similarly to r.b. CM with Presburger logic. 

We also found results that cannot be extended from CM to DCM. For instance, restricting dense- 
choice counters to be bounded does not imply decidability. 
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Future work. Other existing results for CM (such as the rich properties for one-counter machines) 
could be extended to DCM. There are also missing items in the table of page [T3l which do not seem to 
be easily inferable from known results. One could also study different versions of dense-choice coun- 
ters, such as DCM in which tests of the form (x = 0) are forbidden (leading to what we would call 
"Dense-choice Petri Nets"). We would also like to formally compare timed automata with DCM, using 
languages. 
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Appendix: Proofs 

Lemma |2. 101 A DCM j$ = (S,T) with one free 0-testable counter and n k-testable 1-r.b. counters is 
equivalent to a DCM ^ Q = (S>,T) with one free 0-testable counter and up to In + 2k(n + 1) 0-testable 
r.b. counters. 

Proof. Assume that in ^ all r.b. counters are actually 0-reversal (i.e., they do not make any reversal: 
the counter can never "come back" to previous values), that all r.b. counters start from 0, and that there 
is no equality test against any j > (i.e., only x > j or x < j tests are allowed). Finally, assume that 
has no free counter, and hence has only n ^-testable 1-r.b. counters. All these restrictions are then lifted 
at the end of the proof. 

Let Jt 1 = (S', T') be a finite-test DCM verifying Lemma [Z9l 

Consider now ^# . 

Let 5° = 5' x {simul, check}. If ^ starts in a state so, with all counters initially at 0, then starts 
in state <C (so, (0,0)"), simul 3>, with all counters initially at 0. 

works in two phases: first in simul phase and then in check phase. Correspondingly, T° is the 
union of two sets of transitions: T SIMUL and T CHECK . 

The simul phase simulates a run of on the first n counters, hence using finite-state tests rather 
than actual tests on the counters in position 1 to n. However, during the simul phase, replicates the 
values stored in x, into the first n(k+ 1) additional counters. 

The check phase verifies that the simulated run of jjt' is actually consistent, by checking the actual 
counter values stored in the additional counters, and crashing if, and only if, the simulated run was not 
consistent (e.g., verifying that if .y# entered a configuration with dj = j Afi = 1 /2, then j < x, < j + 1). 
Hence, can faithfully simulate 

For clarity, let c(i,j) = n+ (i — 1) * (k+ 1) + j+ 1, for every 1 < i < n, < j < k. 
Hence, c(l,0),c(l, 1), . . . ,c(l,k) are the indexes of counters x„ + i,x„ + 2, . . . ,x„ +J t + i, andc(2,0), . . . ,c(2,k) 
are the indexes of counters x n+ k+2, ■ ■ ■ ,%+2fc+2> etc. 

T smaL is defined as follows: 

1. For all (s\, (g',A,a),s 2 ) € T', the transition (<4,siMUL>,(g',A ,a ),<4,siMUL>) is in r siMUL , if, for 
every i, 1 < i < n: 

• Xf = Xi,a9 = af, 

• X^ i0 j = ■ ■■ = A^. rf = (i.e., the corresponding counters stay); 

• if it is not the case that s\ is such that dj = kf\f = \ /2, then X^ d +l ^ = A?,. d +T) = A°,. = 

Xi and a c (^. + i) = a c (ijj+2) = a c(i,k+\) = a i (i- e -> the corresponding counters make the same 
move as x,); 

• if s\ is such that di = k/\ f =1/2, then A^. d+l ^ = 0. 

2. For every s' € 5', (^C s', simul 2>, (true,0,a), <C s', check 2>) is a move in r siMUL for any a (where 
(resp. true) is the vector with (resp. true) in every component). 

3. No move in T smaL is other than those defined in (1) and (2). 
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The meaning of group (2) of moves is to make enter the check phase, which is intended to verify 
whether the finite-state tests used in the simul phase were correct. 

Without defining r cHECK formally, we describe how can check that whenever entering a configu- 
ration with dj =jAfi = 1/2, for every i, 1 < i < n and for every j, < j < k, then actually j <x ; < j+ 1. 
The value of x,- at the precise moment that such configuration was entered is still stored in x c njy Since 
the counter x, cannot make any reversal, to make sure that the configuration at that time was consistent 
with x,-, it is enough to check whether j < x c (,j) < j + 1 and crash if this is not the case. 

Let nj be the value of x c n^ when enters the check phase. jfi decrements x c (jj) of exactly j (us- 
ing integer decrements). If the machine does not crash, then ztj > j- Then, to make sure that Zij < j + 1 
(i.e. < x c ( ; - ; j < 1 for the current value of x c (ij))' verifies that if xy+i = then Zij = j- Otherwise, 
makes a fractional decrement of x^ ^and crashes if the result is different from 0. Hence, the only 
case where there exists a computation that does not crash is when there exists 8, < 8 < 1, such that 
x c(i,j) = 5. repeats this procedure for every i, 1 <i<n, and for every j, < j < k. Finally, ends 
the computation. It should be clear that if ends its computation without crashing then the original 
tests of ^# were guessed correctly by 

The restriction of not having equality tests can be lifted just by noticing that a test x; = k is replaced 
in by a test whether d, • = k A ft = 0. It is enough that the machine marks, in its finite control, the 
actual value of fi when di becomes equal to j. If f, • = then the check phase should only check whether 
Zij = j rather than checking whether j < Zij < 7+1. 

The restriction of having only 0-reversal counters can be eliminated by adding more n(k + 1) 0- 
testable 1-r-b. counters to and extending the simul phase to use also these additional counters. 
Denote by c(i,j) the value n + n(k+ 1) + (/— l)*(k + 1) + 1. Each counter Xc(ij) makes the same 
move as x,-, with < j < k and i <i < n, as long as x,- is in its increasing phase (i.e., A°(c(/, j)) = 
When the decreasing phase for x,- starts, with in a state <^s,d\,...,d n ,fi,...,f n ^>, then s imul acts 
on the counters in the positions c(i,j) with A and a defined as follows: 

• ^e(i,di) = ^e(i,di+i) = '"= ^eu,k) = ^- e -' the corresponding counters stay); 

• if it is not the case that s[ is such that dt = k/\ft = 1/2 then () j = !) = ••• = d = A,- 
and a.^.Q-j = a^. ^ = ■ ■ • = a^ id _^ = a, (i.e., the corresponding counters make the same move as 
the j-th counter); 

• if s[ is such that di = k/\ ft = 1/2, then also ^ = (i.e., the counter stays). 

The check phase for these new counters in position c(i,j) is exactly the same as for the previously 
introduced n(k+ 1) counters in positions c(i,j). 

The restriction on all counters being initialized at can also be lifted by making guess at the 
beginning of the computation the correct values of each di and and initializing 2n additional 1-r.b. 
counters with a copy of the first n counters. This can be obtained by emptying each counter x,-, 1 < i < n, 
with integer decrements first and then with one fractional decrement, finally crashing if x; is not 0, so 
verifying if di and were guessed correctly. At the same time, a new counter, say x-, is increased of 
the same amounts used to decrement x; to 0. When x; = and the test is passed, continues the 
computation as above, but using counter x\ instead of x,- (since it stores exactly the original value of x,) 
and starting in a state with the previously guessed values of <i, and rather than from di = f, ■ = 0. 
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Finally, the restriction of not having in ^# a free O-testable counter can easily be removed, by adding a 
free O-testable counter also to may also simulate the behaviour of this counter during the simul 

phase, leaving it to stay during the check phase. This does not affect any of the above constructions. □ 



Proposition 14.21 Let F(xi,...,x„,yi,... ,y„) be a quantifier-free mixed formula, with x\ > 0, . . . ,x n > 
0,yi > 0, . . . ,y„ > 0. Then F is definable with a r.b. DCM. 

Proof. Assume (w.l.o.g.) that F is in disjunctive normal form: 

F=Fi VF 2 V...VF m 
Hence, it is the disjunction of clauses F, of the form: 

F i = F h AF i2 A--AF imi 

where each Fjj, in the free variables x\,... ,x n ,y\ ,y p , can always be reduced, by pushing negation to 
the relational symbol and by elementary algebraic transformations, to the form: 

E ~0 

where ~G {>,=,<, ^}. For instance, if F,-. is E\ < E2, then one may check instead if E\ — Ej < 0, 
etc. 

Below we show that for every F;., there exists a r.b. DCM with r.b. dense-choice counters 
x\,...,x n and r.b. discrete counters y\,...,y p (and possibly more r.b. counters x n+ \ , . . . and y p+ \ ,...) 
that accepts when relation F ij is verified on the initial values of the counters x\, ■ . . ,x n ,yi, . . . ,y p . 

This immediately entails that, for each clause Fj, there exists a r.b. DCM ^ that accepts if F,-, A 
Fj 2 A Ft is verified on the initial values of its r.b. counters x\, . . . ,x n ,y\, . . . ,y p . In fact, since F; is the 
conjunction of all F; ., ^ is a r.b. DCM that first makes m t copies of counters xi,..-,x n ,yi,... ,y p and 
then simulates each started on one of the copies. ^ accepts if, and only if, all accept. 

Therefore, it is possible to build a r.b. DCM whose binary reachability describes relation F: 
starts with all counters equal to zero; first, it makes nondetermistic increments of each counter, guessing 
a tuple of values for xl, . ■ . ,x n ,y\,. . . ,y p such that at least one F (hence, also F) holds; second, it follows 
the computation of ^ described above, in order to verify that all guesses are correct. In order to end 
in a configuration in which the n first counters hold the values of the n variables making F true, we will 
make copies of these counters so that we do not modify them during the verification that they have been 
guessed right. 

To show that for every i,j there actually exists a r.b. DCM ^ defining F, , we first prove by 
induction on the structure of E that the value of E can be encoded by a r.b. dense-choice counter for \E \ 
and a flag in the control state for the sign of E. Recall that a counter value can always be copied a fixed 
number of times, using the encoding of Figure [Tb] 

The base steps of the induction are the cases when E is 0, 1, Xj, yj, which are obvious. 
Assume now that E is {E\ +F2), with a copy of \E\ \ and \E%\ stored in two suitable r.b. counters, 
with their sign flags in the finite state control. We can assume that E\ and E2 have the same sign (e.g., if 
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E\ > and E 2 < then E\ +E2 can be rewritten as E\ — \E 2 \). We only need to consider the case when 
both are positive (if both are negative, then compute \E\ \ + \E 2 |, store the result in a r.b. counter with the 
sign flag being negative). The addition E\ +E2 can then be done using the encoding of Figure [Tel 

Assume now that E is {E\ —E2), again with a copy of \E\ | and \E 2 \ stored in two suitable r.b. counters 
x\ and x 2 (respectively), with sign flags. We only need to consider the case where both E\ and E 2 are 
positive (the other cases can be easily eliminated or reduced to an application of +). We can also assume 
that E\ >E 2 . If E 2 > Ei then the machine will guess it and it may compute E 2 — E\ instead, changing the 
sign of the result. The computation of E\ — E 2 can then be done using the encoding of Figure [Id] Notice 
that if the machine made the wrong guess that E\ > E 2 , while instead E 2 <E\, then this procedure will 
crash (hence, the non-derministic choice has to be the correct one). 

Finally, assume that E is [E'\ ; then the automaton on Figure [2a] can reach s' from s if and only if 

y=[xj. ' 




(a) Storage of \x\ into x\ (b) Test of x =j 



Figure 2: Encodings of "integer part" and "modulo" 

We just showed how to encode a mixed linear expression £ in a r.b. DCM. To complete the proof 
that there is a r.b. DCM accepting Fu , it is enough to show that there exists a r.b. DCM j$ which 
can check whether E ~ (since Fu is of this form). Since the value of \E\ is stored in a r.b. counter x, 
with a flag in the control state for the sign of E, then tests E < and E > are immediate. Of course, 
E = is trivial too, since it can be tested by a guard (x = 0). 

The two remaining cases are zero-congruences modulo an integer d. The automaton on Figure [2b] 
can reach s' from s if and only if E =j 0, for a given integer d (the value of E being stored into counter 
x). 

To accept if E ^ 0, then ^# first checks if x — [x\ > 0, accepting if this is the case. If x — [x\ =0 
then ^# guesses the integer constant v € [0, d] such that E — v =j 0. This can be computed as already 
explained above. 

Thus, we gave a constructive proof that there exists a r.b. DCM defining any mixed formula. 

□ 



